NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
I. Who We Are
This Notice describes the privacy practices of your home healthcare company.
II. Our Privacy Obligations
We are required by law to maintain the privacy of your health information (“Protected Health Information” or “PHI”) and to provide you with this Notice of our legal duties and privacy practices with respect to your Protected Health Information. When we use or disclose your Protected Health Information, we are required to abide by the terms of this Notice (or other notice in effect at the time of the use or disclosure).
III. Permissible Uses and Disclosures Without Your Written Authorization
In certain situations, which we will describe in Section IV below, we must obtain your written authorization in order to use and/or disclose your PHI. However, we do not need any type of authorization from you for the following uses and disclosures).
A. Uses and Disclosures for Treatment, Payment, and Healthcare Operations.
We may use and disclose PHI, but not your “Highly Confidential Information” (defined in Section IV. C below), in order to treat you, obtain payment for equipment and services provided to you and conduct our “healthcare operations” as detailed below:
- Treatment. We use and disclose your PHI to provide treatment and other services to you — for example, to treat your injury or illness. In addition, we may contact you to provide appointment reminders or information about treatment alternatives or other health- related benefits and services that may be of interest to you. We may also disclose PHI to other providers involved in your treatment.
- Payment. We may use and disclose your PHI to obtain payment for equipment and services that we provide to you — for example, disclosures to claim and obtain payment from your health insurer, HMO, or other company that arranges or pays the cost of some or all of your healthcare (“Your Payor”) to verify that Your Payor will pay for healthcare.
- Healthcare Operations. We may use and disclose your PHI for our healthcare operations, which include internal administration and planning and various activities that improve the quality and cost effectiveness of the care that we deliver to you. For example, we may use PHI to evaluate the quality and competence of our respiratory therapists, nurses and other healthcare workers.
We may also disclose PHI to your other healthcare providers when such PHI is required for them to treat you, receive payment for services they render to you, or conduct certain healthcare operations, such as quality assessment and improvement activities, reviewing the quality and competence of healthcare professionals, or for healthcare fraud and abuse detection or compliance.
B. Disclosure to Relatives, Close Friends, and Other Caregivers.
We may use or disclose your PHI to a family member, other relative, a close personal friend or any other person identified by you when you are present for, or otherwise available prior to, the disclosure, if we (1) obtain your agreement; (2) provide you with the opportunity to object to the disclosure and you do not object; or (3) reasonably infer that you do not object to the disclosure. If you are not present, or the opportunity to agree or object to a use or disclosure cannot practicably be provided because of your incapacity or an emergency circumstance, we may exercise our professional judgment to determine whether a disclosure is in your best interests. If we disclose information to a family member, other relative or a close personal friend, we would disclose only information that we believe is directly relevant to the public’s involvement with your healthcare or payment related to your healthcare. We may also disclose your PHI in order to notify (or assist in notifying) such persons of your location, general condition or death.
C. Public Health Activities.
We may disclose your PHI for the following public health activities: (1) to report health information to public health authorities for the purpose of preventing or controlling disease, injury or disability; (2) to report child abuse and neglect to public health authorities or other government authorities authorized by law to receive such reports; (3) to report information about products and services under the jurisdiction of the U. S. Food and Drug Administration; (4) to alert a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition; and (5) to report information to your employer as required under laws addressing work- related illnesses and injuries or workplace medical surveillance.
D. Victims of Abuse, Neglect, or Domestic Violence.
If we reasonably believe you are a victim of abuse, neglect, or domestic violence, we may disclose your PHI to a governmental authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence.
E. Health Oversight Activities.
We may disclose your PHI to a health oversight agency that oversees the healthcare system and is charged with responsibility for ensuring compliance with the rules of government health programs such as Medicare or Medicaid.
F. Judicial and Administrative Proceedings.
We may disclose your PHI in the course of a judicial or administrative proceeding in response to a legal order or other lawful process.
G. Law Enforcement Officials.
We may disclose your PHI to the police or other law enforcement officials as required or permitted by law or in compliance with a court order or a grand jury or administrative subpoena.
H. Decedents.
We may disclose your PHI to a coroner or medical examiner as authorized by law.
I. Organ and Tissue Procurement.
We may disclose your PHI to organizations that facilitate organ, eye or tissue procurement, banking or transplantation.
J. Research.
We may use or disclose your PHI without your consent or authorization if an Institutional Review Board or Privacy Board approves a waiver of authorization for disclosure.
K. Health or Safety.
We may use or disclose your PHI to prevent or lessen a serious and imminent threat to a person’s or the public’s health or safety.
L. Specialized Government Functions.
We may use and disclose your PHI to units of the government with special functions, such as the U. S. military or the U. S. Department of State under certain circumstances.
M. Workers’ Compensation.
We may disclose your PHI as authorized by and to the extent necessary to comply with state law relating to workers’ compensation or other similar programs.
N. As Required by Law.
We may use and disclose your PHI when required to do so by any other law not already referred to in the preceding categories.
IV. Uses and Disclosures Requiring Your Written Authorization
A. Use or Disclosure with Your Authorization.
For any purpose other than the ones described above in Section III, we only may use or disclose your PHI when you grant us your written authorization (“Your Authorization”). For instance, you will need to execute an authorization before we can send your PHI to your life insurance company or to the attorney representing the other party in litigation in which you are involved.
B. Marketing.
We must also obtain your written authorization (“Your Marketing Authorization”) prior to using your PHI to send you any marketing materials. (We can, however, provide you with marketing materials in a face-to-face encounter without obtaining Your Marketing Authorization. We are also permitted to give you a promotional gift of nominal value, if we so choose, without obtaining Your Marketing Authorization.) In addition, we may communicate with you about products or services relating to your treatment, case management or care coordination, or alternative treatments, therapies, providers or care settings without Your Marketing Authorization.
C. Uses and Disclosures of Your Highly Confidential Information.
In addition, federal and state law require special privacy protections for certain highly confidential information about you (“Highly Confidential Information”). We will comply with such special privacy protections which may cover the subset of your PHI that: (1) is maintained in psychotherapy notes; (2) is about mental health and developmental disabilities services; (3) is about alcohol and drug abuse prevention, treatment and referral; (4) is about HIV/ AIDS testing, diagnosis or treatment; (5) is about venereal disease(s); (6) is about genetic testing; (7) is about child abuse and neglect; (8) is about domestic abuse of an adult with a disability; (9) is about sexual assault; or (10) is about abortion.
V. Your Rights Regarding Your Protected Health Information
A. For Further Information; Complaints.
If you desire further information about your privacy rights, are concerned that we have violated your privacy rights or disagree with a decision that we made about access to your PHI, you may contact our Physician and Patient Relations Department. You may also file written complaints with the Director, Office for Civil Rights of the U.S. Department of Health and Human Services. Upon request, the Physician and Patient Relations Department will provide you with the correct address for the Director. We will not retaliate against you if you file a complaint with us or the Director.
B. Right to Request Restrictions.
You may request restrictions on our use and disclosure of your PHI (1) for treatment, payment and healthcare operations; (2) to individuals (such as a family member, other relative, close personal friend or any other person identified by you) involved with your care or with payment related to your care; or (3) to notify or assist in the notification of such individuals regarding your location and general condition. While we will consider all requests for restrictions carefully, we are not required to agree to a requested restriction, except that in certain instances we must agree to a restriction relating to a disclosure to a health plan for the purposes of carrying out payment or healthcare operations in which the PHI pertains solely to a healthcare item or service for which the healthcare provider involved has already been paid out of pocket in full. If you wish to request restrictions, please submit a written request to our Physician and Patient Relations Department. A form to request restrictions is available upon request from the Physician and Patient Relations Department.
C. Right to Receive Confidential Communications.
You may request, and we will accommodate, any reasonable written request for you to receive your PHI by alternative means of communication or at alternative locations.
D. Right to Revoke Your Authorization.
You may revoke Your Authorization, Your Marketing Authorization or any written authorization obtained in connection with your Highly Confidential Information, except to the extent that we have taken action in reliance upon it, by delivering a written revocation statement to the Physician and Patient Relations Department identified below. A form of written revocation is available upon request from the Physician and Patient Relations Department.
E. Right to Inspect and Copy Your Health Information.
You may request access to your medical record file and billing records maintained by us in order to inspect and request copies of the records. Under limited circumstances, we may deny you access to a portion of your records. If you desire access to your records, please submit a written request to the Physician and Patient Relations Department. You may obtain a record request form from the Physician and Patient Relations Department and submit the completed form to the Physician and Patient Relations Department. Requests for a copy of a limited amount of your medical or billing records (e.g., a prescription) maintained by us on-site may be made orally to our local facility. We may, however, require that you submit a written request to the Physician and Patient Relations Department.
F. Right to Amend Your Records.
You have the right to request that we amend Protected Health Information maintained in your medical record file or billing records. If you desire to amend your records, please send a written request for the amendment, including the reason for the amendment, to the Physician and Patient Relations Department. You may obtain a form to request an amendment from the Physician and Patient Relations Department. We will comply with your request unless we believe that the information that would be amended is accurate and complete or other special circumstances apply.
G. Right to Receive an Accounting of Disclosures.
Upon request, you may obtain an accounting of certain disclosures of your PHI made by us during any period of time prior to the date of your request provided such period does not exceed six years and does not apply to disclosures that occurred prior to April 14, 2003.
H. Right to Receive Paper Copy of This Notice.
Upon request, you may obtain a paper copy of this Notice, even if you have agreed to receive such notice electronically.
I. Right to Request Retention Information and Deletion.
You have the right to be informed of how long we retain your Protected Health Information and to request deletion of information that is not subject to a legal retention obligation. See Section VI for details.
VI. Data Retention and Deletion
A. How Long We Retain Your Protected Health Information.
We retain your Protected Health Information (“PHI”) for as long as necessary to provide pharmacy services to you, to comply with our legal, regulatory, and accreditation obligations, and to support legitimate business purposes such as billing, audit, and dispute resolution. Specific retention periods are driven by the type of record:
- Prescription records and pharmacy dispensing records are retained for a minimum of ten (10) years from the date of the last dispensing event, consistent with the Illinois Pharmacy Practice Act and the longer of any applicable retention period in the jurisdictions where we are licensed.
- Controlled-substance records are retained for a minimum of five (5) years, or longer where state law requires, in accordance with the federal Controlled Substances Act and U.S. Drug Enforcement Administration regulations (21 C.F.R. Part 1304).
- Billing, claims, and payment records are retained for a minimum of seven (7) years from the date of service, or longer where required by Medicare, Medicaid, or other payor rules.
- HIPAA documentation (including this Notice, authorizations, accountings of disclosure, and records of patient requests) is retained for a minimum of six (6) years from the date of creation or the date when it was last in effect, whichever is later, as required by 45 C.F.R. § 164.530(j).
- Account, registration, and patient-portal records, including text-messaging opt-ins, are retained for the duration of your relationship with Carepoint Pharmacy and for a reasonable period thereafter to support recordkeeping, audit, and legal-defense needs.
Where multiple retention requirements apply to the same record, we retain the record for the longest applicable period. Records subject to a legal hold, government investigation, audit, or active litigation are retained until the hold is lifted, even if the period above has expired.
B. How Your Information Is Stored and Protected.
PHI is stored in secure electronic pharmacy and patient-management systems, and in limited cases in physical form, with administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C). Access is restricted to workforce members and business associates with a legitimate need to know.
C. How We Dispose of Your Information.
When PHI is no longer required to be retained under Section VI.A and is not subject to any legal hold, we dispose of it using methods designed to render the information unreadable, indecipherable, and otherwise unable to be reconstructed, consistent with U.S. Department of Health and Human Services guidance and NIST Special Publication 800-88. Paper records are shredded or incinerated. Electronic records are deleted, degaussed, or purged from active systems and backup media in accordance with our records-disposal schedule.
D. Your Right to Request Deletion of Your Information.
HIPAA does not provide an absolute right to have your PHI deleted from a pharmacy’s records, because federal and state law require us to retain prescription, dispensing, billing, and HIPAA-compliance records for the minimum periods described in Section VI.A. However, you have the following related rights:
- Account closure and ending the patient relationship. You may end your patient relationship with Carepoint Pharmacy at any time by contacting the Physician and Patient Relations Department. Upon closure, we will stop using your information to provide pharmacy services and will retain the underlying records only for the minimum periods required by law.
- Deletion of information not subject to a retention requirement. You may request deletion of information that we are not required by law, regulation, or accreditation standard to retain — for example, optional profile data, marketing preferences, or text-message enrollment data. We will honor such requests within a reasonable time after verifying your identity.
- Restriction of future use and disclosure. As described in Section V.B, you may request restrictions on how we use and disclose your PHI, including a right in certain circumstances to restrict disclosure to a health plan for items or services you paid for out of pocket in full.
- Revocation of authorization. As described in Section V.D, you may revoke any prior authorization you have given us, except to the extent we have already acted in reliance on it.
- Unsubscribing from communications. You may opt out of text-message and marketing communications at any time as described elsewhere in this Notice and in our Terms and Conditions, without affecting the underlying pharmacy record.
To make a deletion or account-closure request, please submit a written request to the Physician and Patient Relations Department at the address in Section VIII. We will respond within thirty (30) days, and will explain in writing if any portion of your request cannot be fulfilled because the information is subject to a legal retention obligation.
VII. Effective Date and Duration of This Notice
A. Effective Date.
This Notice is effective as of August 25th, 2022.
B. Right to Change Terms of This Notice.
We reserve the right to, meaning we may, change the terms of this Notice at any time. If we change this Notice, we may make the new notice terms effective for all Protected Health Information that we maintain, including any information created or received prior to issuing the new notice. If we change this Notice, we will post the new notice in waiting areas at our facility and on our Internet site. You also may obtain any new notice by contacting the Physician and Patient Relations Department.
VII. Physician and Patient Relations Department.
You may contact the Physician and Patient Relations Department at:
Physician and Patient Relations Department
9 E Commerce Drive
Schaumburg, IL 60173
Telephone Number: (855) 237-9112
Facsimile Number: (855) 237-9113
Carepoint Patient Text Messaging Services
- There are various messages you can expect to receive from us including, but not limited to, a “welcome” message, auto refill notifications and confirmations, delivery confirmations, order confirmations, and available for refill notifications.
- You can cancel the SMS service at any time. Just text “STOP” to the short code. After you send the SMS message “STOP” to us, we will send you an SMS message to confirm that you have been unsubscribed. After this, you will no longer receive SMS messages from us. If you want to join again, just sign up as you did the first time and we will start sending SMS messages to you again.
- If you are experiencing issues with the messaging program you can reply with the keyword HELP for more assistance, or you can get help directly at 855-237-9112
- Carriers are not liable for delayed or undelivered messages
- As always, message and data rates may apply for any messages sent to you from us and to us from you. You will receive up to 5 messages a day. If you have any questions about your text plan or data plan, it is best to contact your wireless provider.
- If you have any questions regarding privacy, please read our privacy policy above and review our Terms and Conditions here: https://carepoint.pharmacy/terms-conditions/